7.1

CVE-2019-10912

EPSS 1.16%
Published 16.05.2019 22:29:00
Last modified 21.11.2024 04:20:08
Source cve@mitre.org
Teams watchlist Login
Open Login

In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. This is related to symfony/cache and symfony/phpunit-bridge.

Affected products Warnungen 0 Metrics 3 CWE 1 References 16

Data is provided by the National Vulnerability Database (NVD)

Sensiolabs ≫ Symfony Version >= 2.8.0 < 2.8.50

Sensiolabs ≫ Symfony Version >= 3.4.0 < 3.4.26

Sensiolabs ≫ Symfony Version >= 4.1.0 < 4.1.12

Sensiolabs ≫ Symfony Version >= 4.2.0 < 4.2.7

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	1.16%	0.778

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.1	2.8	4.2	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
nvd@nist.gov	6.5	8	6.4	AV:N/AC:L/Au:S/C:P/I:P/A:P

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://seclists.org/bugtraq/2019/May/21

https://www.debian.org/security/2019/dsa-4441

https://github.com/symfony/symfony/commit/4fb975281634b8d49ebf013af9e502e67c28816b

Patch

Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42UEKSLKJB72P24JBWVN6AADHLMYSUQD/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QEAOZXVNDA63537A2OIH4QE77EKZR5O/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BAC2TQVEEH5FDJSSWPM2BCRIPTCOEMMO/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BHHIG4GMSGEIDT3RITSW7GJ5NT6IBHXU/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LFARAUAWZE4UDSKVDWRD35D75HI5UGSD/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDSM576XIOVXVCMHNJHLBBZBTOD62LDA/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTJGZJLPG5FHKFH7KNAKNTWOGBB6LXAL/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLOZX5BZMQKWG7PJRQL6MB5CAMKBQAWD/

https://symfony.com/blog/cve-2019-10912-prevent-destructors-with-side-effects-from-being-unserialized

Third Party Advisory

https://typo3.org/security/advisory/typo3-core-sa-2019-016/

https://nvd.nist.gov/vuln/detail/CVE-2019-10912

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-10912

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-10912

EUVD